Industry Insights

Box Offers to Streamline the GDPR Readiness Journey

As discussed with a handful of significant thought leaders in the content management space in an exclusive CMS-Connected piece last week, integrating robust GDPR capabilities has been one of the main focuses of content management solution providers during the past year. The EU’s General Data Protection Regulation (GDPR) is going into effect on May 25, 2018. No wonder why vendors are continuously and rapidly amplifying their platforms to help organizations prepare for, understand, and address the GDPR compliance requirements, while marketers are scrambling to re-strategize their marketing programs as the post-GDPR era will end the act of wide-scale data collection for marketing purposes without getting consent from a consumer. Failure to meet the GDPR requirements can result in fines up to €20 million or 4% of annual global turnover (whichever is greater).

In the scope of GDPR readiness and compliance efforts, Box Inc., an enterprise content management system provider, announced two GDPR compliant offerings to assist its customers in meeting verification needs; one solution is software while the other is new consulting services.

“Business today is more connected and global than ever. Customer expectations have never been higher, and there is immense pressure to move faster, work across the extended enterprise, and deliver new experiences,” said Stephanie Carullo, COO of Box. “In the digital workplace, traditional approaches to data protection are obsolete. Businesses need modern cloud platforms that can power the future of work and meet tomorrow’s security, compliance and regulatory needs. Box is laser-focused on this challenge and the GDPR is a huge opportunity to extend next-generation data protection to the cloud.”

New Self-Serve Data Processing Addendum

One of the new announcements was Data Processing Addendum (DPA) which is a self-serve document that only requires an electronic signature from customers. Once signed, it will automatically be sent to the Box Legal team, and if accurately completed, the DPA will then become legally binding. As a result, customers will be able to verify their use of Box’s GDPR compliance offerings, and that way, they will have proof to demonstrate to third-party auditors that their data is being processed in a way that complies with the GDPR requirements. The DPA, pre-signed by Box, walks customers through to get the legal documentation in place. Being able to comply with the GDPR obligations with just a couple of clicks is probably music to the ears for many organizations as, by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements, according to Gartner.

The Redwood City, Calif-based vendor claims that it provides the most comprehensive set of EU third-party certifications and bills itself as the only company that uses Global Binding Corporate Rules (BCRs) both as a processor and data controller. “We’ve invested significant resources toward GDPR compliance and we are committed to practicing transparency in how Box handles personal data. No one has made global data compliance in the cloud easier,” says Pete McGoff, Chief Legal Officer of Box.

New Data Protection Services

Box Consulting rolled out a new compliance-focused consulting engagement to help customers understand the compliance requirements of the GDPR, PCI DSS, FedRAMP, and HIPAA from a cloud content management perspective.

According to the vendor, the engagement is run by experts from both Box Compliance and Box Consulting teams to help customers address their data protection and privacy obligations in relation to their Box usage. Experts bring cross-industry perspectives on compliance obligations and deep understanding of the Box product capabilities.

The data protection service includes the following:

  • Assisting customers in developing a strategy for categorizing their data and running the corresponding risk profile analysis

  • Assisting customers to develop a data protection framework that is based on the customer's own unique data protection risk profile

  • Providing implementation services to assist customers with implementing Box in accordance with their own derived implementation framework

  • Cross-industry perspectives on Compliance/Data Protection Obligations

Here’s an interview with the leadership team of Virgin Trains on how they provide content and document security with the GDPR in mind by utilizing Box’s products such as Box Zones, which provide customers with in-region data storage, and Box Governance, which enables customers to comply with data retention policies, satisfy e-discovery requests, and effectively manage sensitive information.

How About Silicon Valley’s GDPR Readiness Journey?

GDPR will fundamentally change how digital marketing works today, and as discussed before, not only European Union-based organizations but also all entities doing business in the EU, including tech giants like Google and Facebook will be affected by the legislation.

Given that personal data makes up the foundation of their business models, one would think that the tech titans would fight back over the coming GDPR compliance requirements. However, the real scenario is a little surprising. “There has not been any pushback from American companies,” said Vera Jourová, the European Commissioner for Justice, Consumers and Gender Equality. “If anything, they seem very eager to understand how exactly they can comply with the regulation.”

From Gmail to its Cloud storage services, Google, for instance, went through each product to comply. In the scope of GDPR readiness efforts, Google developed many consent agreements and changed underlying technology to make it easier to remove someone’s data. When you think of its size, it is a huge process and requires the deployment of hundreds of people to get those tasks done. Gilad Golan, Google’s director for security and data protection, claimed: “When GDPR goes into effect in 2018, we will be ready.”

Facebook, on the other hand, compiled user security settings into a single page, instead of forcing users to go through several pages for different scenarios, in an effort to meet all the requirements of the GDPR. Not to violate GDPR rules, the social network giant has decided to keep some of its new products out of Europe, like facial recognition software or its AI-powered program that monitors Facebook users for signs of self-harm.

Amazon, too, confirmed that they would comply with the requirements of the GDPR when it becomes enforceable in May. Amazon hasn’t outlined the details of their work in relation to GDPR readiness but AWS accelerated the encryption around the data it stores on its cloud storage services. The cloud giant also provides its customers with the rights of choosing where they want their data stored. In addition, like Box, Amazon offers a new Data Processing Agreement (GDPR DPA) that will meet the requirements of the GDPR. This GDPR DPA is available to all AWS customers to help them prepare for May 2018.

A couple of years ago, at an event in Washington, Apple CEO Tim Cook gave a very controversial speech on protecting personal data. “I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.”

In the meantime, Julie Brill, a Corporate Vice President and Deputy General Counsel at Microsoft, said in an interview: “We embrace GDPR because it sets a strong standard for privacy and data protection rights, which is at the core of our business. We began work on GDPR as soon as it was adopted by the European Union. Our preparations for GDPR touch every part of our company.”


Do you remember the heated discussions around the violence of privacy when we found out that tech companies have been reading our emails? The majority were struck by that. It is funny how those social norms can be readjusted. Today, we purchase conversational systems like Alexa or Google Home which let their algorithms scrape more personal data from every inch of our places. We do our grocery shopping at a “smart” Whole Foods store where we are surrounded by sensors that can go far beyond obtaining data on what you picked up and your associated bank account to complete the transaction.

Soon enough, whether it is a virtual or physical environment, everywhere we go will be surrounded by some sort of data mining technologies. As consumers, we all need more democratic control over our own data. I am glad to see that regulations like the General Data Protection Regulation (GDPR) are driving tech titans to adopt better data collection processes and policies while assisting their customers to do the same. These efforts will result in greater trust and greater transparency. Due to its wide scope, the GDPR may set an example for US consumers so they could begin demanding similar data protection regulations from the US government.

Venus Tamturk

Venus Tamturk

Venus is the Media Reporter for CMS-Connected, with one of her tasks to write thorough articles by creating the most up-to-date and engaging content using B2B digital marketing. She enjoys increasing brand equity and conversion through the strategic use of social media channels and integrated media marketing plans.

Featured Case Studies